Merge pull request #7248 from Security-Onion-Solutions/feature/kratos-log-ingest

Ingest Kratos logs

salt/filebeat/etc/filebeat.yml

@@ -264,6 +264,36 @@ filebeat.inputs:
 
 {%- endif %}
 
+{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager',  'so-managersearch', 'so-import'] %}
+- type: log
+  paths:
+    - /logs/kratos/kratos.log
+  fields:
+    module: kratos
+    category: host
+    tags: beat-ext
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: ""
+        add_error_key: true
+    - rename:
+        fields:
+          - from: "audience"
+            to: "event.dataset"
+        ignore_missing: true
+    - add_fields:
+        when:
+          not: 
+            has_fields: ['event.dataset']
+        target: ''
+        fields:
+          event.dataset: access
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+{%- endif %}
+
 {%- if INPUTS %}
 # USER PILLAR DEFINED INPUTS
 {{ INPUTS | yaml(False) }}